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In air traffic management, conflict detection algorithms are used to determine whether 
or not aircraft are predicted to lose horizontal and vertical separation minima within a 
time interval assuming a trajectory model. In the case of linear trajectories, conflict de- 
tection algorithms have been proposed that are both sound, i.e., they detect all conflicts, 
and complete, i.e., they do not present false alarms. In general, for arbitrary nonlinear 
trajectory models, it is possible to define detection algorithms that are either sound or com- 
plete, but not both. This paper considers the case of nonlinear aircraft trajectory models 
based on polynomial functions. In particular, it proposes a conflict detection algorithm 
that precisely determines whether, given a lookahead time, two aircraft flying polynomial 
trajectories are in conflict. That is, it has been formally verified that, assuming that the 
aircraft trajectories are modeled as polynomial functions, the proposed algorithm is both 
sound and complete. 


I. Introduction 

Separation requirements in the airspace are typically given by a minimum horizontal separation, e.g., 5 
nautical miles, and a minimum vertical separation, e.g., 1000 feet.^^ A loss of separation between two aircraft 
occurs when both of these minima are simultaneously violated, and a conflict occurs when the aircraft are 
predicted to lose separation in the near future, usually 5 minutes. Conflict detection algorithms have as 
input the state information of two aircraft and a lookahead time. They return a Boolean value indicating 
whether or not the aircraft are in conflict, i.e., they are predicted to be in a loss of separation within the given 
lookahead time. When a conflict is detected, conflict resolution algorithms compute resolution maneuvers 
for the aircraft that maintain the required aircraft separation. Conflict detection and resolution (CD&R) 
systems are part of computer-based systems that assist pilots and air traffic controllers to maintain safety 
in the airspace by keeping aircraft separated. These separation assurance systems are critical elements of 
air/ground distributed operational concepts for the next generation of air traffic management systems such 
as the US’s Next Generation of Air Traffic Systems (NGATS)^^ and Europe’s Single European Sky ATM 
Research (SESAR).®" 

CD&R algorithms rely on the reported state information of the aircraft. This state information typically 
includes 3D position and velocity vectors. A given aircraft trajectory model is then used to propagate 
the current state information forward in the future within the time interval determined by the lookahead 
time. Several state propagation methods for CD&R systems have been proposed.® For example, state- 
based conflict detection algorithms use a linear projection of the current state of the aircraft. This simple 
aircraft trajectory model corresponds to a point mass moving along a straight line at constant speed. More 
sophisticated state propagation methods assume nonlinear trajectories or probabilistic trajectory models. 

Three important safety properties for conflict detection algorithms are soundness, completeness, and 
correctness. Given an aircraft trajectory model, an algorithm is sound if it only detects potential conflicts, 
i.e., if in every situation where the algorithm returns true, the aircraft are in conflict according to the 
trajectory model, then the detection algorithm is sound. An algorithm is complete if all conflicts are detected, 
i.e., if in every situation where two aircraft are in conflict according to the trajectory model, the algorithm 
returns true, then the detection algorithm is complete. Finally, a detection algorithm is correct if it is both 
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sound and complete, meaning that the algorithm returns true if and only if the aircraft’s trajectories are 
in conflict. The notions of soundness and completeness are related to the notions of false alerts and missed 
alerts and they may play a role in the development of safety cases for the certification of CD&R systems. 

For linear trajectories, i.e., trajectories where the initial velocity does not change within the lookahead 
time, it is possible to define algorithms that are correct, i.e., sound and complete.^’® Unfortunately, for 
nonlinear trajectory models, designing a conflict detection algorithm that is correct is more challenging. 
One way to design a detection algorithm for an arbitrary trajectory model is to test a number of sample 
points, representing aircraft positions within a given lookahead time, and return the Boolean value true if 
some of those points are in loss of separation. Such an algorithm is sound but not complete, since it cannot 
detect conflicts that occur outside the set of sample points. 

In previous work, the authors proposed a detection algorithm for arbitrary nonlinear trajectory models 
and formally verified its main safety properties. That algorithm is based on a numerical method using 
Bernstein polynomials, which are a particular case of spline functions. The algorithm explicitly computes a 
small interval enclosure for the smallest distance between two aircraft during a lookahead time, and returns 
a Boolean value depending on this information. That algorithm can be proved to be correct within some 
approximation bounds. More precisely, by modifying the separation minima (both horizontal and vertical), 
the algorithm is provably sound or provably complete. However, for given separation minima it cannot 
simultaneously satisfy both properties. 

In this paper, the authors present a new, formally verified conflict detection algorithm for aircraft tra- 
jectories described by polynomials in the time variable. This algorithm is provably correct. Thus, given the 
state information of two aircraft and a lookahead time, it returns the Boolean value true if and only if the 
aircraft, which are assumed to fly polynomial trajectories, are predicted to be in loss of separation within 
the lookahead time. The proposed algorithm is based on a well-known result in real algebraic geometry 
called Tarski ’s theorem. This theorem enables the computation of a Boolean value that precisely determines 
whether or not the distance between two polynomial trajectories ever crosses a certain separation threshold 
within a time interval. In the case of linear trajectories, the quadratic formula can be used to determine 
whether a polynomial of degree 2, i.e., the square of the distance between two aircraft at any time, ever 
crosses the separation minima. In the case of polynomial trajectories of higher degree, Tarski’s theorem can 
be used to make the same determination. 

The rest of the paper is organized as follows. The conflict detection problem is discussed in Section II. 
Tarski’s theorem is described in Section III. This theorem is the backbone of the conflict detection algorithm 
for polynomial trajectories that is proposed in Section IV. The last section discusses related work and 
concludes the paper. The proposed conflict detection algorithm and its correctness property have been 
formally specified and verified in the Prototype Verification System (PVS).^^ To make this paper accessible 
to non-PVS users, this paper uses mathematical notation instead of PVS concrete syntax. 

II. Conflict Detection 

Since conflicts between multiple aircraft can be detected in a pairwise fashion, this paper only considers 
conflicts between two aircraft. These two aircraft are referred to as the ownship and the intruder. As 
usual in CD&R literature, the airspace volume is modeled using a flat-earth projection in a 3-dimensional 
rectangular coordinate system. That is, aircraft positions are viewed as points in The separation 
requirement between two aircraft is specified as a minimum horizontal separation D and a minimum vertical 
separation H. Typically, D is 5 nautical miles and H is 1000 feet.^^ In this paper, D and H are considered 
to be known numerical constants. The separation requirement can be understood as an imaginary horizontal 
cylinder, called the protected zone., of height 2H and diameter 2D around the intruder aircraft. 

A loss of separation between the ownship and the intruder aircraft occurs when the horizontal distance 
between the aircraft is less than D and the vertical distance is less than H, i.e., when the ownship is in the 
interior of the intruder’s protected zone. Let Sq G and G be the current positions of the ownship and 
intruder aircraft, respectively. Formally, the ownship and intruder aircraft are said to be in loss of separation 
if the following predicate on Sq and s^, holds. 

los?{so,s,) = |s^| <H and ||s(,,,y)|| < D, 

where s = Sq — s^, i.e., s is the relative position of the ownship with respect to the intruder aircraft, and 
S(x,y) is the horizontal projection of 3-dimensional vector s. 

2 of 10 


American Institute of Aeronautics and Astronautics 


II. A. Trajectories 


An aircraft trajectory represents the set of possible positions for the aircraft according to some state prop- 
agation model.® A state propagation model for CD&R systems may be as simple as a linear projection of 
the current position at the current constant velocity. More complicated models consider uncertainties in 
the aircraft state due to aircraft dynamics, weather patterns, and other factors. In this paper, an aircraft 
trajectory is a continuous function that maps a time in R to an aircraft position in R®. Given a time t G R, 
the evaluation of a trajectory at time t is a point in R® that represents the projected 3-dimensional position 
for the aircraft at the time t. 

Example 1 (Linear Dynamics). Tactical state-based CD&R systems uses an aircraft trajectory model that 
assumes a linear projection of its current position s £ R® along its current velocity v G R®. This type 
of trajectory can be represented by the parametric function linearg^v : R — > R®, with parameters s and v, 
defined by 

linears.v{t) = s 1 V. (1) 

Example 2 (Turn Dynamics). During a steady coordinated turn without friction, the position of an aircraft 

2 

will follow a circle of radius where v is the true air speed, g is the aeceleration of gravity, and cf) is 

the bank angle of the aircraft. Thus, the trajectory of an aircraft during a turn can be represented by the 
parametric function turns^r,a,uj,v „ : R — >■ R, with parameters s, r, a, oj, and Vz, defined by 

tu7^s,r,a,uj,v^ {t) = s (r sin(tt -I- tuj), r cos(a -\-tuj),t Vz), (2) 

where s is the center point of the turn, a; = ± ^ tan (f, a is the angle along the turn at time zero, r = ^ , 

and Vz is the vertical speed. 

Henceforth, trajectories for the ownship and intruder aircraft are denoted by Pq and Pi, respectively. 
Specifically, trajectories will be studied where each of the components functions of Pq and Pi are defined 
with polynomials in a time variable t. 

II. B. Conflict Detection Algorithms 

While loss of separation is formalized as a predicate on two aircraft positions Sq and s^, a conflict between 
two aircraft is formalized as a predicate on the ownship and intruder trajectories Pq and in R — ^ R®, 
respectively. The conflict predicate is defined for a lookahead time T that represents a time interval of 
interest. As in the case of D and H, T is assumed to be a known numerical constant. The trajectories Pq 
and Pi are in conflict if there exists t £ [0, T] such that the positions Po{t) and Pi{t) are in loss of separation: 

conflict?{Po, Pi) = £ [0,T] : los?{Po{t),Pi{t)). (3) 

Example 3. If both trajectories, Pq and Pi, are given by linear projections of the states of the aircraft at 
time zero, then Po(t) = s^-l-t and Pi{t) = Si~\-t\i, where s^, Sj, v^, and are the positions and velocities 
of the ownship and the intruder at time zero, respectively. In this case, 

conflict?{Po, Pi) 3 t £ [0, T] :|Sj 3- t v^| < H and 

< D, 

where s = Sq — and v = Vq — v^. This definition is typically used in state-based CD&R.^’^ 

An algorithm used by an aircraft to detect conflicts with another aircraft is called a conflict detection 
algorithm. In this paper, a conflict detection algorithm is a function cd that takes as inputs Pg and Pi, and 
returns a Boolean value. Formally, a conflict detection algorithm cd is complete if for all trajectories Po,Pi 
such that conflict?{Po, Pi) = true, it holds that cd(Po, Pi) = true. Similarly, it is sound if for trajectories 
Po, Pi such that cd(Po, Pfl = true, it holds that conflict?(Po, Pi) = true. Finally, the algorithm cd is correct 
if it is both sound and complete. 
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II. C. Conflict For Polynomial Trajectories 

In this paper, a state propagation model based on polynomial trajectories is considered. That is, it is 
assumed that 


Po{t) = + • • ■ + CLlt + do? bj.P + ■ • • + bit + 6q, CsP + • • • + Cit + Co), 

Pi{t) = [dkt^ + ■ ■ ■ + dit + do, + • • • + eit + Co, fmt^ + ■ ■ ■ + fit + /o). 

where g, r, s, k, I, and m are, respectively, the degrees of the polynomials appearing above. 

Given the explicit descriptions above of these trajectories, conflict between these trajectories can be 
specified as follows. 


conflict?{Po, Pi) = 

3t gR : 

t > 0 and 

T — t > 0 and (4) 

— {{uqt'^ + • • • + do) — {dkt^ + • • • + do))^ ~ 

{{brP H 1- &o) - H + eo))^ > 0 and 

— {{CgP + • • ■ + Co) — (/mt™ + • • • + /o))^ > 0. 

Thus, detecting a conflict for these polynomial trajectories is equivalent to solving this system of four 
polynomial relations. Indeed, each of the last four lines of the formula is of the form p{t) i?0, where R is in 
the set {>, >}, and where p{t) is a polynomial in the variable t. 

For a linear trajectory model, Formula 4 can be reduced to 

conflict?{Po, Pi) = 

3t gM. : 

t > 0 and 
T — t > 0 and 

D i^iPoxt 3~ Sox) (j^ixt 3~ Six)) {,{yoyt Soy) (^Viyt “t“ Siy)) > 0 and 

- {{Vozt + Soz) - {Vizt + S^z)f > 0, 

where Pq — ^oy ^oz t'^oz'): Pi — (^^ix t'^ix-i ^iy ^iz H“ S-Uci Sq, s^, Vq, Vj 3,re the 

positions and velocities of the ownship and the intruder at time zero. 

III. Tarski’s Theorem 

In Section II. C, it is shown that the problem of detecting conflicts for polynomial trajectories is equivalent 
to determining whether a system of four polynomial equations has a solution t, where t is a real number. 
There is an algorithm that can efficiently determine whether or not this system of polynomials has a solution. 
Such an algorithm belongs to the mathematics field of semi-algebraic geometry,^ which is the study of systems 
of polynomial relations. The algorithm presented in this paper is a particular instance of a more general 
algorithm for determining the existence of solutions of any system of polynomial relations. 

To illustrate how it is possible to analytically determine whether a polynomial relation has a solution, 
consider first the simple case of a single quadratic polynomial inequality at^ + bt + c < 0, where d > 0. 
This quadratic opens upward, and therefore this equation has a solution if and only if there exists at least 
one root of this polynomial, meaning that there exists some t where at^ + bt + c = 0. However, by using 
the quadratic equation, it is relatively easy to see that this happens if and only if b^ — 4dc > 0. Thus, the 
analytic way to check whether at'^ +bt + c < 0 has a solution is to check whether 6^ — 4dc > 0. This shows 
that determining analytically whether a polynomial formula has a solution is possible, at least in the case 
where the polynomial is a quadratic. 

In fact, it is possible to determine analytically whether any polynomial system has a solution. The 
algorithm used in this paper is based on Tarski’s theorem. First, recall that the extended real numbers K* 
are defined as the real numbers M with two extra points added, namely oo and — oo. Any polynomial p can 
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be evaluated at any point of M*, and it returns another extended real number in M*. For instance, if p is 
the polynomial p{t) = then p{oo) = oo and p{—oo) = oo, and if p is the polynomial p(t) = then 
p{oo) = —oo and p{—oo) = oo. Next, let g and h be univariate polynomials, such that h is nonzero. Using 
the standard Euclidean division algorithm for polynomials, it is always possible to find polynomials q and r 
such that g = q- h + r and the degree of r is less than the degree of h. Let rem((/, h) denote the polynomial r 
after division, known as the remainder. Given univariate polynomials p and g, the Sturm sequence of p and 
g is a sequence S of polynomials 

Po, Pi, P2, ■■■ ,Pm, (5) 

where 

Po =P, 

Pi= 9- P', 

Vd > 1 : pd = -rem(pd_2,Pd-i), (6) 

Pm = 0, and 
Pm—l 7^ 0- 

Evaluating each of the polynomials in a Sturm sequence at some a; € M* produces a sequence of extended 
real numbers. A function ap^g is defined on M* by setting ap^g{x) to be equal to the number of sign changes 
in this sequence. When counting the number of sign changes in an evaluated Sturm sequence, any zeros are 
ignored. For example, if m = 7 and po(a^) = 4, pi{x) = —3, P 2 {x) = —5, p^{x) = 0, pa{x) = 18, P 5 {x) = —4, 
Pe(x) = — 1 and P 7 {x) = 0, there are sign changes between po{x) and pi(a;), between P 2 {x) and pa{x), and 
between pa{x) and P 5 (x). In this case, the number of sign changes in the sequence is given by a{x) = 3. 

A basic form of Tarski’s theorem states that for a, 6 G K* with a < 6, if neither a nor 6 is a root of both 
p and p' ■ p, then 


~ — card({x G (a, 6] : p{x) = 0 and g{x) > 0}) — 

card({x G (a, 6] : p{x) = 0 and g{x) < 0}). 

Here, the function card(5') denotes the cardinality of a finite set S. The case where g is the constant 

polynomial 1 is commonly known as Sturm’s theorem. The basic version of Tarski’s theorem motivates 

the definition of the Tarski query, TQ, which is a function with polynomials p and g as inputs. 

TQ(P,ff) = CTp,g{-00) - CTp,g(oo). 


Theorem 1. Letp,g be univariate polynomials. Then 

TQ(7':ff) = carddx G K : p{x) = 0 and g{x) > 0}) — card({a; G K : p{x) = 0 and g{x) < 0}). 

The proof of Theorem 1 can be found in works on real algebraic geometry.^ Theorem 1 is enough to 
prove the correctness theorem of the conflict detection algorithm presented in this paper. That correctness 
theorem is Theorem 5. However, we now discuss how, in general Theorem 1 above can be used to solve 
arbitrary systems of polynomials. However, this general framework, as just noted, is not required to prove 
the main correctness theorem (Theorem 5). 

Well- written expositions of Sturm’s and Tarski’s theorems can be found in the literature.^ A. 20 jnstanti- 
ating the polynomial g with 1, g, and g^ in Theorem 1, it can be seen that the following equality of vectors 
holds, where there is a matrix multiplication on the right hand side. 


'tq(p,i)' 


card (5'=) 

TQ(p,p) 

= M- 

card(S'>) 

TQ(p,5d. 


card(S'<) 


where S'/? = {x G M : p{x) = 0 and g{x) R 0} and 


M = 


1 1 1 

0 1 -1 

0 1 1 


( 7 ) 


( 8 ) 
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Since the matrix M is invertible, the vector on the far right hand side can be computed by calculating the 
three Tarski queries. 

In the following sections, entries of matrices are expressed with iirdices starting at 0. The top left entry of 
a matrix is its (0, 0)-th entry, and the first entry of a vector is its 0-th entry. The expression M[z, j] denotes 
the (*, j) entry of a matrix M. Let g = {go, ■ • • , 9k} be any sequence of polynomials and define TQ(p, g) to 
be the vector with entries whose z-th entry is given by 


TQ(p, n 




d=0 


where (zq, . . . ,Zfc) is the base— 3 representation of i. Let NSol(p, g) be the vector with entries whose 
j-th entry is given by the cardinality of the set 


and gk{x) Rk 0}, 



SolSet(p, g, j) = {x S K : p{x) = 0 and go{x) Rq 0 and 
where each relation with 0 < d < fc, is given by 


Rd = 


and where (jo, . . . ,jk) is the base-3 representation of j. 

Theorem 2. For any polynomial g and sequence g = {go, . . . ,gk),, o-tl with real coefficients, 

TQ(p, g) = • NSol(p, g). (9) 

Theorem 2 and its proof can be found in works on real algebraic geometry.^ The matrix in 

Formula (9) denotes the standard (fc -I- 1) tensor power of the matrix M. The matrix is invertible 

and its inverse is given by the following formula. 




0 -1 


-I 0(fc-l-i) 


The next result following immediately from this 

Theorem 3. For a nonzero polynomial p and a sequence of nonzero polynomials g = {go, . . . , gk),, clU with 
real coefficients, 

NSol(p, g) = • TQ(p, g). 

The theorem above follows directly from the discussion above, and a more indepth discussion and 
proof can be found in works on real algebraic geometry.^ Theorem 3 enables the effective computation 
of NSol(p, g), which are cardinalities of sets of the form 


{t S K : p{t) = 0 and go{x) Ro 0 and . . . and gk{x) Rk 0}, 


with Rd € {=,>,<,^,>,<1 for 0 < d < fc. That is, this theorem makes it possible to count solutions 
to sets of relations, provided that one of the relations is an equality. In the more general case, it is always 
possible to reduce any system of polynomials with relations in {=, >, <,y^,>,<}, to a system of polynomials 
where one of the relations is an equality. This can be done by adding one extra polynomial equation, where 
the polynomial in question is either the product of the polynomials in the system or the derivative of that 
product. This is stated by the following theorem, whose reasoning follows from standard theorems in real 
analysis.^’ 

Theorem 4. Consider a collection of polynomials goi---jdfc relations Rq, ■ ■ ■ , Rk, where Rd € {=, > 
,<,y^,>,<} for 0 < d < k. Suppose that the system S = go{t) Ro 0 and ... and gk{t) Rk 0 is not 
satisfied at either —oo or oo. Then S has a solution t G M z/ and only if one of the following two conditions 
holds, where Q is the polynomial rid=o 9d- 

• S and Q = 0 are satisfiable at a common point. 


• S and Q' = 0 are satisfiable at a common point. 
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IV. Conflict Detection Algorithm for Polynomial Trajectories 

Let Po and Pi be the polynomial trajectories described in Section II.C. Recall from that section that 
conflict detection between Pq and Pi is equivalent to determining whether the following system of polynomials 
has a solution t € K. 

CDpQ(t) > 0 and CDp]^(t) > 0 and CDp2(t) > 0 and CDp3(t) > 0, 

where the polynomials COpg, CDp^, CDp2, and CDpg are defined by 

CDpo(t) = t, 

CDp3(t) =-t + T, 

CDp2(t) = — {{aqf^ + ■ ■ ■ + oo) — {dkt^ + ■ ■ ■ + do))^ ~ + • ■ ■ + &o) ~ (e/t* + ■ ■ ■ + eg))^, 

CDpglt) = — {{cbP + • • • + Co) — (/mi™ + • • • + /o))^- 

Theorem 4 makes it possible to define a conflict detection algorithm for trajectories of this type by computing 
the coefficients of the appropriate row of the matrix as well as the vector TQ(p, g). This enables 

the direct computation of the corresponding element of the vector NSol(p, g). In fact, the algorithm first 
simplifies the above system by noting that if either CDpg(t) = 0 or CDpg(t) = 0, then this system has a 
solution at either 0 or T. Thus, the algorithm first checks whether there is a solution at 0 or T and then 
uses Theorem 4 to check whether there is a solution to the following system, which only includes > relations 
and no > relations. 

CDp(j(t) > 0 and CDpg(t) > 0 and CDp2(t) > 0 and CDp3(t) > 0. (10) 

Theorem 4 implies that the product of one of the polynomials is zero at the solution point, since their product 
Q is zero at that point. However, the system of polynomial relations in Formula (10) has only > relations, 
so it is impossible that the product of these polynomials is zero at any point where this system is satisfied. 
Thus, the only other possibility for the conditions in Theorem 4 to have a solution is for a solution to exist at 
a point where the derivative of the product of these four polynomials is zero. This motivates the definition 
of the conflict detection algorithm in Figure 1 for polynomial trajectories Pg and Pi. The algorithm below 
returns a Boolean value depending on whether the aircraft are in conflict or not. 

The sum of 16 Tarski queries that appears in the definition of the algorithm cd_poly in Figure 1 is equal 
to twice the dot product of the 40-th row of (M®^)“^ with the vector TQ(H, {po, ffi, ff2, 53}), where, as 
in the algorithm above, gi = CDp^, for 0 < i < 3, and H = 50 ’ 5i ' • <?3- The 40-th row of this matrix 

corresponds to the 40-th entry of the vector 

NSol(H, {30,31,52,53}), 

which is given by the following cardinality: 

card(|t G K : H'(t) = 0 and 50 (t) > 0 and 51(f) > 0 and 52(f) > 0 and 53(f) > 0}). 

The correctness theorem for the algorithm above is presented below. It is the main result of this paper. 

Theorem 5 (Correctness for Polynomial Trajectories). The conflict detection algorithm cd_poly is both 
sound and complete, and therefore also correct, for polynomial trajectories. That is for all polynomial tra- 
jectories Pq and Pi, conflict? {Pg, Pfl = true, i.e., the trajectories are in conflict, if and only if 

cd_poly{Pg,Pi) = true. 

Theorem 5 states that, assuming a polynomial trajectory model, the algorithm cd_poly precisely detects 
all conflicts, i.e., it does not miss any conflict and it does not return true when aircraft trajectories are not 
actually in conflict. 
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cd_poly(Po,Pi) = 
let 

go = CDpo,gi = CDpi,32 = CDp2,33 = CDpg, 
n = go ■ 5i ■ 52 ■ 53 in 

if los?{Po{0), Pi{0)) or los?{Po(T),Pi{T)) then 
true 

elsif 5o = 0 or 51 = 0 or 52 = 0 or 53 = 0 or 11^ = 0 then 
false 
elsif 

TQ(n, 50515253) + TQ(n, 50515253) + TQ(n, 50515253) + TQ(n, 50515253) + 
TQ(n,5o5i5253) + TQ(n, 5051525s) + TQ(n, 50515I53) + TQ(H, 50515I53) + 
TQ(II, 5 q 5 i 5253 ) + TQ(n, 5 g 5 i 5253 ) + TQ(II, gggig^gs) + TQ(II, 5^515253) + 

TQ(n, 5^5^5253) + TQ(n, 5^5^5253) + TQ(n, 5^5^5153) + PCl{P-,glglglgl) ^0 then 

true 
else 
false 
endif . 


Figure 1. Conflict detection algorithm for polynomial trajectories 


Example 4. Consider the following two polynomial trajectories, which appears as an example inJ^ 

P^{t) = (-3.2484 + 270.7^ + 433.12^2 -324.83999 

15.1592 + 108.28 1 + 121.2736 f - 649.67999 
38980.8 + 5414.0i - 21656.0f2 + 32484.0^^), 

P,(t) = (1.0828 - 135.351 + 234.9676^2 + 3248.4 

18.40759 - 230.63641 - 121.273612 - 649.67999 1^, 

40280.15999 - 10828.01 + 24061.981612 - 32484.01^). 

The unit of time for these trajectories is hours (hr), the unit of horizontal position is nautical miles (nmi), 
and the unit of vertical position is feet (ft). At time 1 = 0 hours (current time), the positions of the ownship 
and intruder aircraft are (—3.2484,15.1592,38980.8) and (1.0828,18.40759,40280.15999), respectively. At 
this time, the aircraft are approximately 5.414 nmi apart horizontally and approximately 1299.36 ft apart 
vertically. Thus, given the separation standard minima of 5 nmi horizontally and 1000 ft vertically, the 
aircraft are not currently in loss of separation. 

The algorithm cd_poly predicts that the aircraft are in conflict for a lookahead time of S minutes, i.e., 
when T = ^. That is cd_poly{Po, Pt) = true. In fact, it is shown in^^ that the aircraft are in loss of 
separation at time t = 252144 > about 70 seconds. It follows that conflict?{Po, Pfl holds. At this time, 

the aircraft are approximately 4.999 nmi apart horizontally and —999.92 ft vertically. 

V. Related Work and Conclusion 

Safety properties, including soundness, completeness and correctness, have been formally verified for 
CD&R algorithms that assume a linear trajectory model. ^++°+2 A conflict resolution algorithm for curved 
trajectories has been formally verified using hybrid- model checking techniques. Other type of trajectories, 
such as piece- wise linear trajectories also enable analytic detection methods®+ and thus, formal proofs of 
these algorithms are feasible. CD&R algorithms that handle complicated nonlinear trajectories either iterate 
conflict computations at specified discrete steps®+® or they rely on approximation methods. 2+®+® Formal 
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verification of these kinds of algorithms is usually difficult. In,^^ the authors proposed a conflict detection 
algorithm for arbitrary trajectory models and they verified in PVS that the algorithm is correct within some 
approximation bounds. That is, the algorithm can be configured to be sound or complete, but not both. 

This papers presents a conflict detection algorithm for two aircraft flying polynomial trajectories. The 
algorithm precisely determines whether the aircraft are in conflict within a given lookahead time. The 
proposed algorithm is sound and complete, i.e., it detects all conflicts and present no false alarms. To the 
best knowledge of the authors, this is the first conflict detection algorithm for nonlinear trajectory models 
that has been formally proved to be correct. While the algorithm presented in this paper assumed a trajectory 
model based on polynomial functions, this is not a significant limitation. Indeed, every nonlinear trajectory 
can be uniformly approximated with a polynomial trajectory in the time variable, for instance using Taylor 
series. This is because any continuous function can be uniformly approximated by polynomials.^® In addition, 
there exist some models for turning trajectories, such as those based on splines, that are explicitly defined 
using polynomials. 

The mathematical development presented in this paper, including definitions and theorems, has been 
specified and verified in the interactive theorem prover PVS. A theorem prover is a computer program that 
provides a specification language and a logic engine that checks every deduction step of a mathematical 
proof. This verification process is resource-intensive, but the safety critical role that CD&R systems play in 
the airspace system largely justifies this formalization effort. 
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